\section{Conclusion}

The results Barkan, Biham and Keller presents in their article, shows that the
$A5/2$ cipher is not secure. GSM should not rely on the security of these
algorithms. The fact that the key-stream can be described as a system of
quadratic equations of all the variables of the registers, and further
linearized and solved with data from just four frames, makes it easy to obtain
the initial state of the system and thus recover the secret key $K_c$. We have
described both their know plaintext and ciphertext-only attacks on $A5/2$, where
the attacker can obtain $K_c$ in a reasonable amount of time.

It is quite easy to see the deliberate downgrade in the security of this
algorithm (compared to $A5/1$). The fact that all we need is to guess a 16 bit
number in order to obtain the secret key, is a grave security issue.

The $A5/1$ cipher, could also be broken when applying a time/memory/data
trade-off attack to a function defined over a parity check matrix and the
ciphertext. These attacks are possible because the GSM protocol makes the
mistake of using error correction on the message before encryption is done. The
redundancy introduced into the plaintext makes the attack possible.

The weak encryption algorithms used by the GSM system are clearly not the only
problem with the design. Even if a stronger cipher was used, the protocol still
suffers from the vulnerabilities mentioned earlier. A way to improve the
protocol would be to make sure that keys used for encryption are unrelated
depending on which cipher is used. Also, if the mobile phone had a way to
determine the authenticity of the network, the attacker would not be able to
mount an attack using a fake base station.
